Privacy & Information Security Law Blog

On September 7, 2011, the United Kingdom Information Tribunal published a decision that appears to resolve the long-running uncertainty regarding the extent to which anonymized personal information may be disclosed under the UK’s Freedom of Information legislation. The UK’s FOIA was introduced and applicable to most of the UK in 2000, with equivalent law following for Scotland in 2002.

On October 13, 2011, Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, presented “Accountability in a Page” as part of the “What it Means to Be Accountable” plenary session at the PIPA Conference 2011 taking place in Vancouver, British Columbia. Mr. Abrams, who leads the Centre’s Accountability Project, outlined the essential elements of accountability and described how top multinational companies are building accountability-based programs. According to Mr. Abrams, “accountability as mandated by the Canadian ...

On September 23, 2011, the Labor Chamber of the Court of Appeals of Caen (the “Court”) upheld a decision to suspend a whistleblower program implemented by a U.S. company’s French affiliate, despite the fact that the French Data Protection Authority (the “CNIL”) had inspected and approved the program prior to implementation. This decision follows recent amendments to the legal framework for whistleblower programs in France.

On September 13, 2011, the Singapore Ministry of Information, Communications and the Arts (the “Ministry”) published a Proposed Consumer Data Protection Regime for Singapore, outlining possible ideas for a data privacy framework and soliciting comments from the public. A few of the suggestions from the Ministry’s proposal that appear most likely to be reflected in a final data privacy law are outlined below.

On October 7, 2011, the Constitutional Court of Colombia approved a landmark omnibus data protection law.  According to its press release, the Court approved almost all provisions in the legislation, known as Ley estatutaria No. 184/ 10 Senado, 046/10 Cámara, but it took issue with Article 27 (which addresses the government’s processing of certain data), Article 29 (which addresses the expunging of certain criminal records) and Articles 30 and 31 (which both address intelligence and counterintelligence databases).  Many of the remaining provisions reflect a strong European influence.  Some highlights include:

• With certain exceptions, the law prohibits the processing of personal data without the data subject’s prior consent.  When the personal data are sensitive data (e.g., health data), the consent must take the form of an explicit authorization.
• The law permits cross-border transfers of personal data to countries that lack adequate data protection laws only in specified circumstances, such as (1) when the data subject has given express and unequivocal consent for the transfer (2) the transfer is necessary for the performance of a contract between the data subject and the data controller, or (3) with the approval of the Superintendence of Industry and Commerce.
• The processing of children’s personal data is generally prohibited.
• Data subjects have access rights.

On September 29, 2011, the German federal and state data protection authorities (“DPAs”) issued a resolution on cloud computing and compliance with data protection law. The publication was released in conjunction with the DPAs’ 82nd annual conference.

On September 22, 2011, new provisions under the French Data Protection Authority’s (“CNIL’s”) internal regulation (Délibération n°2011-249 du 8 septembre 2011) came into force. The CNIL recently amended its regulations to incorporate a new chapter (Chapter IV bis) that sets forth a specific procedure for issuing privacy seals in accordance with the French Data Protection Act. The Act authorizes the CNIL to “issue a quality label to products or procedures intended to protect individuals with respect to processing of personal data, once [the CNIL] has recognized them as in compliance with the provisions of the Act.”

On September 27, 2011, OnStar announced it was reversing proposed changes to its Terms and Conditions that would have allowed the company to continue to receive data from former subscribers’ vehicles unless they specifically opted out.  OnStar’s current Privacy Statement indicates that the GM subsidiary collects information regarding its customers’ vehicle operation, location, approximate speed, collision data and safety belt usage in connection with OnStar’s in-vehicle GPS navigation and emergency response services, and that the company “may share or sell” any of this data in anonymized form with third parties.  OnStar recently notified customers by email that it would continue to collect data from former subscribers, and that it reserved the right to distribute such data to third parties.  The announcement prompted a swift and strong reaction from members of Congress skeptical of the proposed policy changes.

On September 28, 2011, a federal court in Illinois held that West Publishing Company (“West”) had not violated the Driver’s Privacy Protection Act (“DPPA”) by reselling driver’s license information obtained from state DMVs.  The court held that (1) the DPPA creates a federal private right of action permitting individuals like the plaintiffs to bring their class action suit, but (2) the lower court’s dismissal for failure to state a claim was proper.

On Tuesday, September 27, 2011, the European Privacy Officers Forum (“EPOF”) celebrated its 10th anniversary with a gala reception at the BELvue Museum in Brussels. EPOF is composed of EU-based data protection compliance officers and internal legal counsel from over 30 multinational companies and public-sector institutions who meet three times a year in Brussels to exchange ideas and to hear presentations by data protection authorities and other government representatives. The gala, which was attended by approximately 100 people, featured opening remarks from Peter Hustinx, European Data Protection Supervisor, the Honorable William E. Kennard, U.S. Ambassador to the EU, and Paul Nemitz, Director of Fundamental Rights and Citizenship of the European Commission.